Skip to main content
Sign In Get Started

Digital Operational Resilience Act (DORA)

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation aimed at ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions through the implementation of measures to enhance operational resilience and protect the financial system from cyber threats. DORA comes into effect as of 17th January 2025. 

As a regulated financial services provider, Gemini Europe* falls into scope for DORA.

We have taken all necessary steps to ensure readiness and are fully prepared to meet our regulatory obligations.

To read the regulation in its entirety, please refer to the Official Journal of the European Union from 27 December 2022 here

 

How does Gemini Europe ensure compliance with DORA?

We have implemented a Digital Operational Resilience Strategy, a comprehensive ICT risk management framework, conducted ICT risk assessments, and aligned our policies and procedures with DORA’s requirements. This includes robust incident management, business continuity planning, and testing of digital operational resilience.

 

What measures have you taken to manage ICT risks?

We have established a governance framework for ICT risk management, which includes:

  • Identifying and assessing ICT risks and ensuring appropriate controls are in place to mitigate identified risks.
  • Monitoring and reporting on ICT risks as part of our overall Enterprise Risk Assessment.
  • Ensuring compliance with regulatory requirements for ICT risk management.

 

How do you ensure the continuity of services in the event of ICT disruptions?

We have developed and tested business continuity and disaster recovery plans to ensure the uninterrupted delivery of services. These plans include measures for data recovery, alternative communication channels, and operational redundancies.

 

How will you handle third-party ICT risks under DORA?

As Gemini Europe receives hosting and management of digital services from its US affiliate, Gemini Trust, an intra-group outsourcing agreement is in place between Gemini Europe and Gemini Trust with the appropriate governance and reporting routines in place to oversee and monitor performance.

In addition, we are establishing a framework for managing third-party ICT risks, which includes:

  • Ensuring due diligence on ICT service providers.
  • Monitoring and managing third-party risks throughout the lifecycle of the relationship.
  • Ensuring that contracts with ICT service providers include provisions for compliance with DORA.

 

What steps have you taken to ensure compliance with DORA’s reporting requirements?

We have enhanced our existing processes for reporting ICT-related incidents to the relevant authorities and stakeholders in a timely manner.  This includes maintaining an incident register and ensuring compliance with DORA’s reporting timelines.

 

How do you ensure the security of customer data and ICT systems?

We adhere to stringent information security standards, including ISO27001:2022, and implement measures to protect the confidentiality, integrity, and availability of customer data and ICT systems. This includes regular security assessments, penetration testing, and employee training.

 

What is your approach to digital operational resilience testing?

We conduct regular digital operational resilience testing, including threat-led penetration testing, to identify and address vulnerabilities in our ICT systems. These tests are designed to ensure that our systems can withstand and recover from cyber threats and other disruptions.

 

How does this affect my use of Gemini’s products and services?

This legislation affects all Gemini users in the EU and EEA. However, none of the changes implemented by Gemini in order to comply with DORA will alter how you interact with Gemini’s products or services, ensuring you experience no noticeable changes when using them.

 

I am a financial institution with a Gemini account, and I believe Gemini is a critical ICT service provider. How do I reach out to discuss Gemini’s obligations under DORA?

Under the framework of DORA, critical ICT providers are typically those offering foundational technological infrastructure, such as cloud computing, cybersecurity, or data processing services, which support the operations of multiple financial institutions. As a cryptoasset exchange and payment provider, we generally do not consider ourselves to fall under this definition.

However, if you would like to discuss this further with our team, please reach out to institutional@gemini.com 

 

*Gemini Payments Europe Limited (“GPEL”) is authorised by the Central Bank of Ireland (the “CBI” and “Central Bank”) as an electronic money (“e-money”) institution under the European Communities (Electronic Money) Regulations 2011 (the “E-Money Regulations”). GPEL is authorised to issue e-money to its customers and to provide payment service 3(c), as listed in the Schedule to the European Union (Payment Services) Regulations 2018 (the “PSRs”).  Gemini Intergalactic Europe Limited

A simple, secure way to buy and sell cryptocurrency

Trade bitcoin and other cryptos in 3 minutes.